7 matches found
GHSA-453R-G2PG-CXXQ Local Incus UI web server vulnerable to nuthentication bypass
Summary The web server spawned by incus webui incorrectly validates the authentication token such that an invalid value will be accepted. Details incus webui runs a local web server on a random localhost port. For authentication, it provides the user with a URL containing an authentication token...
CVE-2026-33620
PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab v0.7.8 through v0.8.3 accepted the API token from a token URL query parameter in addition to the Authorization header. When a valid API credential is sent in the URL, it can be exposed through...
CVE-2026-22644
Technical details (affected products, components, versions, root cause, exploit status) are not publicly provided in the connected documents. Monitor updates from Red Hat, CIRCL, NVD and others for confirmed remediation and impact.
EUVD-2026-2798
Certain requests pass the authentication token in the URL as string query parameter, making it vulnerable to theft through server logs, proxy logs and Referer headers, which could allow an attacker to hijack the user's session and gain unauthorized access...
CVE-2026-22644
Certain requests pass the authentication token in the URL as string query parameter, making it vulnerable to theft through server logs, proxy logs and Referer headers, which could allow an attacker to hijack the user's session and gain unauthorized access...
EUVD-2025-175341
Mattermost Mobile Apps versions =2.32.0 fail to verify that SSO redirect tokens originate from the trusted server, which allows a malicious Mattermost instance or on-path attacker to obtain user session credentials via crafted token-in-URL responses...
CVE-2022-27671
A CSRF token visible in the URL may possibly lead to information disclosure vulnerability...